import nbdkit-1.40.4-1.el10

4 months ago · 35dc77509d
commit 35dc77509d
10 changed files with 3327 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
 SOURCES/libguestfs.keyring
 SOURCES/nbdkit-1.40.4.tar.gz
--- a/.nbdkit.metadata
+++ b/.nbdkit.metadata
@ -0,0 +1,2 @@
 cc1b37b9cfafa515aab3eefd345ecc59aac2ce7b SOURCES/libguestfs.keyring
 b2efd184db679430aa17e70f69077fff4df7f7dd SOURCES/nbdkit-1.40.4.tar.gz
--- a/SOURCES/copy-patches.sh
+++ b/SOURCES/copy-patches.sh
@ -0,0 +1,55 @@
 #!/bin/bash -
 set -e
 # Maintainer script to copy patches from the git repo to the current
 # directory.  Use it like this:
 #   ./copy-patches.sh
 rhel_version=10.0
 # Check we're in the right directory.
 if [ ! -f nbdkit.spec ]; then
    echo "$0: run this from the directory containing 'nbdkit.spec'"
    exit 1
 fi
 git_checkout=$HOME/d/nbdkit-rhel-$rhel_version
 if [ ! -d $git_checkout ]; then
    echo "$0: $git_checkout does not exist"
    echo "This script is only for use by the maintainer when preparing a"
    echo "nbdkit release on RHEL."
    exit 1
 fi
 # Get the base version of nbdkit.
 version=`grep '^Version:' nbdkit.spec | awk '{print $2}'`
 tag="v$version"
 # Remove any existing patches.
 git rm -f [0-9]*.patch ||:
 rm -f [0-9]*.patch
 # Get the patches.
 (cd $git_checkout; rm -f [0-9]*.patch; git format-patch -N $tag)
 mv $git_checkout/[0-9]*.patch .
 # Remove any not to be applied.
 rm -f *NOT-FOR-RPM*.patch
 # Add the patches.
 git add [0-9]*.patch
 # Print out the patch lines.
 echo
 echo "--- Copy the following text into nbdkit.spec file"
 echo
 echo "# Patches."
 for f in [0-9]*.patch; do
    n=`echo $f | awk -F- '{print $1}'`
    echo "Patch$n:     $f"
 done
 echo
 echo "--- End of text"
--- a/SOURCES/nbdkit-1.40.4.tar.gz.sig
+++ b/SOURCES/nbdkit-1.40.4.tar.gz.sig
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmb3G0QRHHJpY2hAYW5u
 ZXhpYS5vcmcACgkQkXOPc+G3aKBAohAAmJ03Ebg70A6EiKf2HCI1rLC5emLCzwX+
 6YihoD7lFoYh8LPNfg7WCfG8WlrHS3kgb7zIRaqVYn5HWWs/vNAU2+R8uoHoRETe
 hvAZZuXKxDkgNM5CYT7G6sGXQnh5Gn/XNo45oypHFh/vupkjEj5KtgRHkBFivut9
 /fe9JC2IW22FhyuK3XD0zf4tI2m78bLdE4S/tyWuHSGks1cJy5oq03qOkOwFUNOb
 xPvMkPepLClxmgr5fWuKt2A4K/EgrnBOtEvT+lAfI70J12Yiz19VdKK4AV3kBfOm
 U9LrDa6jOCtEkO9leiWUl7LguzyqCsI8r/72OC+Ub/RIIqDqh7tQi7ZwcdvJCZb7
 ZtIY43/XeqFtLXh8D//FpcBwdu9O8h81aTH2s/5QaIUPoY3jCTY+3r5ENv1793YB
 Ar6uWRXt6ID4TaFWO9gPJ4+J0qJJwK39K1CmvA72xn2wBTzoZMp1DEt8Jh/Dnnnp
 74yqhisWXN4ZH+sXKhmSuDl37B0zjRtrGQltTEdcSykh2Gr92f89v87FcUh9PFrj
 cq+hjzoYNQWsjutgKEuqwSM1wmeFOok81fKfwAFqqt+damw7vSUyCXDidh8FDgHC
 l2EwibvKWAQzB+ywqRxP0cekhqqY2WEqW0JFNMLMvJRFOdwooSjB03kwTMQj7/42
 01UYnKoT2u4=
 =7H2+
 -----END PGP SIGNATURE-----
--- a/SOURCES/nbdkit-find-provides
+++ b/SOURCES/nbdkit-find-provides
@ -0,0 +1,23 @@
 #!/bin/bash -
 # Generate RPM provides automatically for nbdkit packages and filters.
 # Copyright (C) 2009-2022 Red Hat Inc.
 # To test:
 # find /usr/lib64/nbdkit/plugins | ./nbdkit-find-provides VER REL
 # find /usr/lib64/nbdkit/filters | ./nbdkit-find-provides VER REL
 ver="$1"
 rel="$2"
 function process_file
 {
    if [[ $1 =~ /plugins/nbdkit-.*-plugin ]] ||
       [[ $1 =~ /filters/nbdkit-.*-filter ]]; then
        echo "Provides:" "$(basename $1 .so)" "=" "$ver-$rel"
    fi
 }
 while read line; do
    process_file "$line"
 done
--- a/SOURCES/nbdkit.attr
+++ b/SOURCES/nbdkit.attr
@ -0,0 +1,3 @@
 %__nbdkit_provides %{_rpmconfigdir}/nbdkit-find-provides %{version} %{release}
 %__nbdkit_path     %{_libdir}/nbdkit/(plugins|filters)/nbdkit-.*-(plugin|filter)(\.so)?$
 %__nbdkit_flags    exeonly
--- a/SOURCES/nbdkit.fc
+++ b/SOURCES/nbdkit.fc
@ -0,0 +1,3 @@
 /usr/sbin/nbdkit	 --    gen_context(system_u:object_r:nbdkit_exec_t,s0)
 /usr/lib/systemd/system/nbdkit.*	gen_context(system_u:object_r:nbdkit_unit_file_t,s0)
--- a/SOURCES/nbdkit.if
+++ b/SOURCES/nbdkit.if
@ -0,0 +1,207 @@
 ## <summary>policy for nbdkit</summary>
 ########################################
 ## <summary>
 ##    Execute nbdkit_exec_t in the nbdkit domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##    Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`nbdkit_domtrans',`
 	gen_require(`
 		type nbdkit_t, nbdkit_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
 ')
 ######################################
 ## <summary>
 ##    Execute nbdkit in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##    <summary>
 ##    Domain allowed access.
 ##    </summary>
 ## </param>
 #
 interface(`nbdkit_exec',`
 	gen_require(`
 		type nbdkit_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, nbdkit_exec_t)
 ')
 ########################################
 ## <summary>
 ##    Execute nbdkit in the nbdkit domain, and
 ##    allow the specified role the nbdkit domain.
 ## </summary>
 ## <param name="domain">
 ##    <summary>
 ##    Domain allowed to transition
 ##    </summary>
 ## </param>
 ## <param name="role">
 ##    <summary>
 ##    The role to be allowed the nbdkit domain.
 ##    </summary>
 ## </param>
 #
 interface(`nbdkit_run',`
 	gen_require(`
 		type nbdkit_t;
 		attribute_role nbdkit_roles;
 	')
 	nbdkit_domtrans($1)
 	roleattribute $2 nbdkit_roles;
 ')
 ########################################
 ## <summary>
 ##    Role access for nbdkit
 ## </summary>
 ## <param name="role">
 ##    <summary>
 ##    Role allowed access
 ##    </summary>
 ## </param>
 ## <param name="domain">
 ##    <summary>
 ##    User domain for the role
 ##    </summary>
 ## </param>
 #
 interface(`nbdkit_role',`
 	gen_require(`
 		type nbdkit_t;
 		attribute_role nbdkit_roles;
 	')
 	roleattribute $1 nbdkit_roles;
 	nbdkit_domtrans($2)
 	ps_process_pattern($2, nbdkit_t)
 	allow $2 nbdkit_t:process { signull signal sigkill };
 ')
 ########################################
 ## <summary>
 ##	Allow attempts to connect to nbdkit
 ##	with a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`nbdkit_stream_connect',`
 	gen_require(`
 		type nbdkit_t;
 	')
 	allow $1 nbdkit_t:unix_stream_socket connectto;
 ')
 ########################################
 ## <summary>
 ##      Allow nbdkit_exec_t to be an entrypoint
 ##      of the specified domain
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`nbdkit_entrypoint',`
        gen_require(`
                type nbdkit_exec_t;
        ')
        allow $1 nbdkit_exec_t:file entrypoint;
 ')
 # ----------------------------------------------------------------------
 # RWMJ: See:
 # https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259
 # Remove this when virt.if gets updated.
 ########################################
 #
 # Interface compatibility blocks
 #
 # The following definitions ensure compatibility with distribution policy
 # versions that do not contain given interfaces (epel, or older Fedora
 # releases).
 # Each block tests for existence of given interface and defines it if needed.
 #
 ########################################
 ## <summary>
 ##      Read and write to svirt_image dirs.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 #
 ifndef(`virt_rw_svirt_image_dirs',`
 	interface(`virt_rw_svirt_image_dirs',`
 		gen_require(`
 			type svirt_image_t;
 		')
 		allow $1 svirt_image_t:dir rw_dir_perms;
 	')
 ')
 ########################################
 ## <summary>
 ##      Create svirt_image sock_files.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 #
 ifndef(`virt_create_svirt_image_sock_files',`
 	interface(`virt_create_svirt_image_sock_files',`
 		gen_require(`
 			type svirt_image_t;
 		')
 		allow $1 svirt_image_t:sock_file create_sock_file_perms;
 	')
 ')
 ########################################
 ## <summary>
 ## 	Read and write virtlogd pipes.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##      Domain allowed access.
 ## </summary>
 ## </param>
 #
 ifndef(`virtlogd_rw_pipes',`
 	interface(`virtlogd_rw_pipes',`
 	        gen_require(`
 	                type virtlogd_t;
 	        ')
 	        allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
 	')
 ')
--- a/SOURCES/nbdkit.te
+++ b/SOURCES/nbdkit.te
@ -0,0 +1,100 @@
 policy_module(nbdkit, 1.0.0)
 ########################################
 #
 # Declarations
 #
 gen_require(`
    type unconfined_t;
 ')
 type nbdkit_t;
 type nbdkit_exec_t;
 application_domain(nbdkit_t, nbdkit_exec_t)
 mcs_constrained(nbdkit_t)
 role system_r types nbdkit_t;
 type nbdkit_home_t;
 userdom_user_home_content(nbdkit_home_t)
 type nbdkit_tmp_t;
 files_tmp_file(nbdkit_tmp_t)
 type nbdkit_unit_file_t;
 systemd_unit_file(nbdkit_unit_file_t)
 permissive nbdkit_t;
 ########################################
 #
 # nbdkit local policy
 #
 allow nbdkit_t self:capability { setgid setuid };
 allow nbdkit_t self:fifo_file rw_fifo_file_perms;
 allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms;
 allow nbdkit_t self:process { fork setsockcreate signal_perms };
 allow nbdkit_t self:tcp_socket create_stream_socket_perms;
 allow nbdkit_t self:udp_socket create_socket_perms;
 manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
 manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) 
 userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
 manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
 manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) 
 userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
 corenet_tcp_connect_http_port(nbdkit_t)
 corenet_tcp_connect_ssh_port(nbdkit_t)
 corenet_tcp_connect_tftp_port(nbdkit_t)
 corenet_tcp_bind_generic_port(nbdkit_t)
 corenet_tcp_bind_generic_node(nbdkit_t)
 domain_use_interactive_fds(nbdkit_t)
 files_read_etc_files(nbdkit_t)
 init_abstract_socket_activation(nbdkit_t)
 init_ioctl_stream_sockets(nbdkit_t)
 init_rw_stream_sockets(nbdkit_t)
 optional_policy(`
 	auth_use_nsswitch(nbdkit_t)
 ')
 optional_policy(`
 	logging_send_syslog_msg(nbdkit_t)
 ')
 optional_policy(`
 	miscfiles_read_localization(nbdkit_t)
 	miscfiles_read_generic_certs(nbdkit_t)
 ')
 optional_policy(`
 	sysnet_dns_name_resolve(nbdkit_t)
 	sysnet_read_config(nbdkit_t)
 ')
 optional_policy(`
 	userdom_read_user_home_content_files(nbdkit_t)
 	userdom_use_inherited_user_ptys(nbdkit_t)
 ')
 optional_policy(`
 	virt_create_svirt_image_sock_files(nbdkit_t)
 	virt_read_qemu_pid_files(nbdkit_t)
 	virtlogd_rw_pipes(nbdkit_t)
 	virt_rw_svirt_image(nbdkit_t)
 	virt_rw_svirt_image_dirs(nbdkit_t)
 	virt_search_lib(nbdkit_t)
 	virt_stream_connect_svirt(nbdkit_t)
 ')
 # FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to 
 # nbdkit_t when libvirtd was started manually from the commandline (i.e. in 
 # unconfined_t), but we don't want this transition to happen automatically 
 # when starting directly from the shell. I'm not sure how to achieve this...  
 #nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)
--- a/SPECS/nbdkit.spec
+++ b/SPECS/nbdkit.spec
		`@ -0,0 +1,2 @@`
							`SOURCES/libguestfs.keyring`
							`SOURCES/nbdkit-1.40.4.tar.gz`
		`@ -0,0 +1,2 @@`
							`cc1b37b9cfafa515aab3eefd345ecc59aac2ce7b SOURCES/libguestfs.keyring`
							`b2efd184db679430aa17e70f69077fff4df7f7dd SOURCES/nbdkit-1.40.4.tar.gz`
		`@ -0,0 +1,3 @@`
							`/usr/sbin/nbdkit -- gen_context(system_u:object_r:nbdkit_exec_t,s0)`

							`/usr/lib/systemd/system/nbdkit.* gen_context(system_u:object_r:nbdkit_unit_file_t,s0)`